Cyber security & digital

forensics
Lecture two
 Access Control and ACLs
• An access control system is the set of technical controls that govern how
subjects may interact with objects.
• Subjects in this sense are users or software processes or anything else that can
request and be granted access to a resource.
• Objects are the resources; these could be networks, servers, databases, files,
and so on.
• In computer security, the basis of access control is usually an Access Control
List (ACL). This is a list of subjects and the rights or permissions they have
been granted on the object. An access control system is usually described in
terms of four main processes:
 Cont’d…..
• Identification - creating an account or ID that identifies the user or process
on the computer system.
• ■ Authentication - proving that a subject is who or what it claims to be when
it attempts to access the resource.
• ■ Authorization - determining what rights subjects should have on each
resource and enforcing those rights.
• ■ Accounting - tracking authorized and unauthorized usage of a resource.
 Cont’d….
• For example, if you are setting up an ecommerce site and want to enroll
users, you need to select the appropriate controls to perform each
function:
• ■ Identification - you need to ensure that customers are legitimate. You
might need to ensure that billing and delivery addresses match for
instance and that they are not trying to use fraudulent payment methods.
• ■ Authentication - you need to ensure that customers have unique
accounts and that only they can manage their orders and billing
information.
• ■ Authorization - you need rules to ensure customers can only place
orders when they have valid payment mechanisms in place. You might
operate loyalty schemes or promotions that authorize certain customers
to view unique offers or content.
• ■ Accounting - the system must record the actions a customer takes.
 IDENTIFICATION
• Identification associates a particular user (or software process) with an
action performed on a network system.
• Authentication proves that a user or process is who it claims to be
(that is, that someone or something is not masquerading as a genuine
user). Identification and authentication are vital first steps in the access
control process:
■ To prove that a user is who s/he says s/he is. This is important because
access should only be granted to valid users (authorization).
■ To prove that a particular user performed an action (accounting). This
is important because a user should not be able to deny what they have
done (non-repudiation).
 Continued…….
• A subject is identified on a computer system by an account.
• An account consists of an identifier, credentials, and a profile.
• An identifier must be unique. For example, in Windows a subject may be
identified by a username to system administrators and users but is actually
defined on the system by a Security Identifier (SID) string. If the user account
was deleted and another account with the same name subsequently created, the
new account would have a new SID and therefore not inherit any of the
permissions of the old account.
• "Credentials" means the information used to authenticate a subject when it tries
to access the user account. This information could be a username and password
or smart card and PIN code.
• The profile is information stored about the subject. This could include name and
contact details and also group memberships.
 Issuance / Enrollment
• Issuance (or enrollment) are the processes by which a subject's credentials are
recorded and issued and linked to the correct account and by which the account
profile is created and maintained. Some of the issues involved are:
• ■ Identity proofing - verifying that subjects are who they say they are at the time
the account is created. Attackers may use impersonation to try to infiltrate a
company without disclosing their real identity.
• Identity proofing means performing background and records checks at the time
an account is created.
• Websites that allow users to self-register typically employ a CAPTCHA
(Completely Automated Public Turing Test to Tell Computers and Humans
Apart).
• A CAPTCHA is usually a graphic or audio of some distorted letters and digits.
This prevents a software process (bot) creating an account.
 Cont’d……………
• Ensuring only valid accounts are created - for example preventing the creation of
dummy accounts or accounts for employees that are never actually hired.
• The identity issuance process must be secured against the possibility of insider
threats (rogue administrative users). For example, a request to create an account
should be subject to approval and oversight.
• ■ Secure transmission of credentials - creating and sending an initial password
securely.
• Again, the process needs protection against snooping and rogue administrative
staff. Newly created accounts with simple or default passwords are an easily
exploitable "backdoor".
• ■ Revoking the account if it is compromised or no longer in use.
 Identity Management
• Identity management refers to the issues and problems that must be overcome in
implementing the identification and authentication system across different
networks and applications.
• A particular subject may have numerous "digital identities", both within and
without the company.
• On a personal level, managing those identities is becoming increasingly difficult,
forcing users into insecure practices, such as sharing passwords between different
accounts.
 Identity management……
• These difficulties can be mitigated by two techniques:
• ■ Password reset - automating the password reset process reduces the
administration costs associated with users forgetting passwords, but making
the reset process secure can be problematic.
• ■ Single sign-on - this means that all network resources and applications
accept the same set of credentials, so the subject only needs to authenticate
once per session(Kerberos)
• This requires application compatibility and is difficult to make secure or
practical across third-party networks.
 Authentication
• Assuming that an account has been created securely (the identity of the account
holder has been verified), authentication verifies that only the account holder is
able to use the account (and that the system may only be used by account
holders).
• Authentication is performed when the account holder supplies the appropriate
credentials to the system. These are compared to the credentials stored on the
system. If they match, the account is authenticated. There are many different
technologies for defining credentials. They can be categorized as the following
factors:
• ■ Something you know (such as a password).
• ■ Something you have (such as a smart card).
• ■ Something you are (such as a fingerprint).
 Something You Know Authentication
• The typical "something you know" technology is the log on:
this comprises a username and a password. The username is typically not a
secret (though it doesn't do to go round publishing it) but the password must be
known only to the account holder.
A passphrase is a longer password comprising a number of words. This has the
advantages of being more secure and easier to remember.
A Personal Identification Number (PIN) is another example of something you
know.
 Personally Identifiable Information (PII)-something
you know

• Another important concept in authentication based on facts that a person knows is

Personally Identifiable Information (PII). PII includes things such as full name,
birth date, address, social security number, and so on. Some bits of information (such
as a social security number) may be unique; others uniquely identify an individual in
combination (for example, full name with birth date and street address).
• PII is often used for password reset mechanisms and to confirm identity over the
telephone. For example, PII may be defined as responses to challenge questions, such
as "What is your favorite color / pet / movie?" Disclosing PII inadvertently can lead
to identity theft (where someone usurps a legally valid identity to conceal their illegal
activities).
• PII can often be relatively easy to obtain so caution needs to be exercised when
depending on this information for authentication.
Something You Have Authentication
• There are various ways to authenticate a user based on something they have.
Examples include a smart card, USB token, or key fob that contains a chip with
authentication data, such as a digital certificate.
• Digital certificates are an encryption technology(read more on digital signatures,
digital certificates, public key infrastructure) The card must be presented to a card
reader before the user can be authenticated.
• A USB token can be plugged into a normal USB port. When the card is read, the
card software prompts the user for a Personal Identification Number (PIN) or
password, which mitigates the risk of the card being lost or stolen .
 Something you have………

• Another option is a hardware token that generates a one-time

password. The token displays a number that changes periodically; the
number and frequency of changes is mathematically linked to an
algorithm on the authenticating server, so inputting the correct code
proves possession of the token.
• The main concerns with "something you have" technologies are loss and
theft and the chance that the device can be counterfeited. There are also
hardware and maintenance costs.
Something You Are Authentication
• "Something you are" means employing some sort of biometric recognition
system. Many types of biometric information can be recorded, including
fingerprint patterns, signature recognition, iris or retina recognition, or
facial recognition.
• The chosen biometric information (the template) is scanned and recorded in a
database. When the user wants to access a resource, s/he is rescanned and the
scan compared to the template.
• If they match to within a defined degree of tolerance, access is granted.
 Multifactor Authentication(combine 2 or 3
together)
• An authentication technology is considered "strong" if it combines the use of more
than one type of technology (multifactor). Single factor authentication systems can
quite easily be compromised: a password could be written down or shared, a smart
card could be lost or stolen, and a biometric system could be subject to high error
rates.
• Two-factor authentication combines something like a smart card or biometric
mechanism with "something you know", such as a password or PIN.
• Threefactor authentication combines all three technologies. An example of this would
be a smart card with integrated thumb- or fingerprint reader. This means that to
authenticate, the user must possess the card, the user's fingerprint must match the
template stored on the card, and the user must input a PIN
 Authorization

• Authorization is the process by which users (typically authenticated

users) are granted rights to access and modify resources.
There are two important functions in authorization:
■ The process of ensuring that only authorized rights are exercised
(policy enforcement).
■ The process of determining rights (policy definition)
 Formal Access Control Models
• An important consideration in designing a security system is to determine how
users receive rights (or to put it another way, how Access Control Lists [ACL] are
written).
• Access control or authorization models are generally classed as one of the
following:
• ■ Discretionary Access Control (DAC).
• ■ Role-based Access Control (RBAC).
• ■ Mandatory Access Control (MAC)
Discretionary Access Control (DAC)
• Discretionary Access Control (DAC) stresses the importance of the owner. The
owner is originally the creator of the resource, though ownership can be
assigned to another user.
• The owner is granted full control over the resource, meaning that s/he can
modify its ACL to grant rights to others. This is the most flexible model and
currently widely implemented in terms of computer and network security.
• In terms of file system security, it is the model used by UNIX/Linux
distributions and Microsoft Windows. As the most flexible model, it is also the
weakest, because it makes centralized administration of security policies the
most difficult to enforce.
• It is also the easiest to compromise, as it is extremely vulnerable to insider
threats.
 Role-based Access Control (RBAC)
• Role-based Access Control (RBAC) adds an extra degree of administrative
control to the DAC model. Under RBAC, a set of organizational roles are defined
and users allocated to those roles.
• Under this system, the right to modify roles is reserved to administrative
accounts. Therefore the system is non-discretionary, as each user has no right to
modify the ACL of a resource, even though they may be able to change the
resource in other ways.
• Users are said to gain rights implicitly (through being assigned to a role) rather
than explicitly (being assigned the right directly).
 Mandatory Access Control (MAC)
• Mandatory Access Control (MAC) is based on the idea of security clearance levels.
Rather than defining access control lists on resources, each object and each subject is
granted a clearance level (referred to as a label).
• If the model used is a hierarchical one (that is, high clearance users are trusted to
access low clearance objects), subjects are only permitted to access objects at their own
clearance level or below.
• Alternatively, each resource and user can be labeled as belonging to a domain
(compartmentalized). A user may only access a resource if they belong to the same
domain. This is referred to as "Need to Know". The labeling of objects and subjects
takes place using pre-established rules. The critical point is that these rules cannot be
changed (except by the system owner) and therefore are also non-discretionary. Also, a
subject is not permitted to change an object's label or to change their own label.
 MAC Cont’d……
• Thistype of access control is associated with military and secret service
organizations, where the inconveniences forced on users are secondary to
the need for confidentiality and integrity.
(classified information in the military,CIA,FBI,police- classified in levels
and access is granted based on the clearance level of the individual)
 Rule-based Access Control
• Rule-based access control is a term that can refer to any sort of access control model
where access control policies are determined by system enforced rules rather than
system users.
• As such, RBAC and MAC are both examples of rule-based (or non-discretionary)
access control. As well as the formal models, rule-based access control principles are
increasingly being implemented to protect computer and network systems founded on
discretionary access from the sort of misconfiguration that can occur through DAC.
• One example is forcing applications such as web browsers to run in a "sandbox"
mode, to prevent malicious scripts on a website from using the privileges of the
logged on user to circumvent the security system. A key point is that privileges are
restricted, regardless of the user's identity.
 Single Sign-on (SSO)
• Single Sign-On (SSO) means that a user only has to authenticate to a system once to
gain access to all the resources to which the user has been granted rights.
• An example is the Kerberos authentication and authorization model(read more
about Kerberos). This means (for example) that a user that has authenticated with
Windows is also authenticated with the Windows domain's SQL Server and
Exchange Server services.
• The advantage of single sign-on is that each user does not have to manage multiple
user accounts and passwords. The disadvantage is that compromising the account
also compromises multiple services.
Accounting
• Accounting (or accountability or auditing) means recording when and by whom a
resource was accessed. Accounting is critical to security.
• The purpose of accounting is to track what has happened to a resource over time.
As well as keeping a log of authorized access and edits, this can also reveal
suspicious behavior and attempts to break through security.

Logs
Accounting is generally performed by logging actions automatically. All NOS and
many applications and services can be configured to log events.
 logs
• Logging generally needs to be enabled and configured by the administrator. The main
decision is which events to record. Logs serve the following two general purposes:
• ■ Accounting for all actions that have been performed by users. Change and version
control systems depend on knowing when a file has been modified and by whom.
• Accounting also provides for non-repudiation (that is, a user cannot deny that they
accessed or made a change to a file). The main problems are that auditing successful
access attempts can quickly consume a lot of disk space and analyzing the logs can be
very time consuming.
• ■ Detecting intrusions (or attempted intrusions). Here records of failure-type events are
likely to be more useful, though success-type events can also be revealing if they show
unusual access patterns.
logs
• Obviously, the more events that are logged, the more difficult it is to analyze and
interpret the logs.
• Also, logs can take up a large amount of disk space. When a log reaches its
allocated size, it will start to overwrite earlier entries.
This means that some system of backing up logs will be needed in order to preserve
a full accounting record to points in time. It is also critical that the log files be kept
secure, so that they cannot be tampered with.
Insider threats are particularly pertinent here as rogue administrators could try to
doctor the event log to cover up their actions.
 Surveillance
• Surveillance is a means of accounting for physical access to a system
(though electronic surveillance can also detect when a user accesses a
computer system).
• Surveillance is also a type of access control, as it acts as a deterrent to
those who would otherwise attempt to penetrate the system or those
who want to carry out a fraud or mis use information or misuse the
system
 Incident Reporting
• Incident reporting means informing the relevant person that there has been a
security breach.
• An Auditing software might do this automatically (for example, by emailing the
administrator).
• For situations not covered by software, there needs to be a clear policy for
employees to follow:
• ■ What is an incident?
• What should I report?
• ■ To whom do I make the report?
• ■ How quickly should I report an incident?
• E.g a malware attack or DOS attack
 Answer these questions to test what you have learned in this unit.

• 1) What is the difference between authorization and authentication?

• 2) What type of access control system is based on resource ownership?
• 3) True or false? A "Need to Know" policy can only be enforced using discretionary or role-based access
control.
• 4) What steps should be taken to enroll a new user?
• 5) What is the basis of computer security accounting?
• 6) What term is used to describe a property of a secure network where a sender cannot deny having sent a
message?
• 7) How does accounting provide non-repudiation?
• 8) You are implementing security controls to protect highly confidential information that must only be made
available on a "Need to Know" basis. What class of security control should you investigate?
• 9) You have implemented a web gateway that blocks access to a social networking site. How would you
categorize this type of security control?
• 10) The company you work for has suffered numerous intrusions due to poor password management by
employees. Given a significant budget to mitigate the problem, what type of security control would you use?